Level 4

Block excessive logins

 Block user from logging in for a period of time after no more than 10 successive invalid login attempts.

Permit only competent operation of servers

 It is important that anyone who performs administrative responsibilities on these systems have sufficient technical knowledge, via experience and/or training, to be able to implement these requirements and recognize when they need to seek help.

Servers must meet the most stringent requirement

Servers storing or processing information belonging to more than one classification must meet the requirements associated with the highest classification. If you aren't able to identify whether or not a server may have HRCI, apply the level 4 controls.

No Level 4 On Devices

Work from materials stored on approved servers or services and do not copy them to your local system. If you are conducting field research to collect Level 4 data and cannot meet this requirement send an email to ithelp@harvard.edu to request an information security consultation for Harvard-approved external encrypted portable storage media and process.

Secure locations

SC8: Servers must be kept in secure locations and properly inventoried, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

User access

SC7: User access to level 4 information on servers must be logged, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

Access logs

SC6: Logs of user and administrator access to servers and applications must be securely maintained on a remote computer, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

Permitted access

SC5: The business application owner for applications dealing with Level 4 information must designate which employees have permission to access level 4 information about others from outside the Harvard wired or other Harvard strongly authenticated and encrypted wireless network.

Outbound traffic

SC4: Outbound traffic from servers must be limited to that required to properly operate the service, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

Server vulnerability

SC3: Server operators must take reasonable actions on a regular basis to ensure that their systems are not vulnerable to attack, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

Private address space

SC2: Servers with Level 4 information must be on private address space, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

Pages